Author: spouliot
Date: 2006-06-14 11:29:00 -0400 (Wed, 14 Jun 2006)
New Revision: 61700
Added:
trunk/mcs/tools/security/TESTS
Modified:
Log:
2006-06-14 Sebastien Pouliot <sebastien (AT) ximian (DOT) com>
* AssemblyInfo.cs: Update copyright notice.
* signcode.cs: Add support for -x (delayed timestamp) to fix bug
#78614. Now the tool is more useful in real-life scenarios.
* TESTS: New. Instructions on how to test any changes related to
Authenticode.
Modified:
2006-06-14 15:28:24 UTC (rev 61699)
2006-06-14 15:29:00 UTC (rev 61700)
@@ -4,7 +4,7 @@
// Author:
//Sebastien Pouliot <sebastien (AT) ximian (DOT) com>
//
-// Copyright (C) 2004-2005 Novell Inc. (http://www.novell.com)
+// Copyright (C) 2004-2006 Novell Inc. (http://www.novell.com)
//
using System;
@@ -17,7 +17,7 @@
[assembly: AssemblyCompany("Motus Technologies, Novell")]
[assembly: AssemblyProduct("Mono Security Tools")]
-[assembly: AssemblyCopyright("Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005 Novell. BSD licensed.")]
+[assembly: AssemblyCopyright("Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.")]
[assembly: AssemblyVersion (Consts.MonoVersion)]
//[assembly: AssemblyConfiguration("")]
Modified:
2006-06-14 15:28:24 UTC (rev 61699)
2006-06-14 15:29:00 UTC (rev 61700)
@@ -1,3 +1,11 @@
+2006-06-14 Sebastien Pouliot <sebastien (AT) ximian (DOT) com>
+
+* AssemblyInfo.cs: Update copyright notice.
+* signcode.cs: Add support for -x (delayed timestamp) to fix bug
+#78614. Now the tool is more useful in real-life scenarios.
+* TESTS: New. Instructions on how to test any changes related to
+Authenticode.
+
2006-05-09 Sebastien Pouliot <sebastien (AT) ximian (DOT) com>
* sn.cs: Don't throw an exception on invalid assemblies (e.g.
Added: trunk/mcs/tools/security/TESTS
trunk/mcs/tools/security/TESTS2006-06-14 15:28:24 UTC (rev 61699)
trunk/mcs/tools/security/TESTS2006-06-14 15:29:00 UTC (rev 61700)
@@ -0,0 +1,164 @@
+Mono's Security Tools - TESTS
+Last updated: June 13, 2006
+
+* AUTHENTICDE
+
+Here's a short description on how to test any changes in the Authenticode tool
+set. This set includes makecert, cert2spc, signcode and chktrust.
+
+This is a _minimal_ sequence. Each input/output could be tested under Linux
+and Windows to ensure maximum compatibility.
+
+
+0. Setup
+
+% cd /mcs/tools/security
+% make
+% mono setreg.exe 1 TRUE
+% cp signcode.exe test.exe
+
+1. Create a test certificate for code-signing
+
+% mono makecert.exe -n "CN=careful tester" -sv test.pvk test.cer
+
+Mono MakeCert - version 1.1.15.0
+X.509 Certificate Builder
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+Success
+
+2. Convert the test certificate to the SPC format
+
+% mono cert2spc.exe test.cer test.spc
+
+Mono Cert2Spc - version 1.1.15.0
+Transform a set of X.509 certificates and CRLs into an Authenticode(TM) "Software Publisher Certificate"
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+Success
+
+3. Sign a PE binary (without a timestamp)
+
+% mono signcode.exe -v test.pvk -spc test.spc test.exe
+
+Mono SignCode - version 1.1.15.0
+Sign assemblies and PE files using Authenticode(tm).
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+Success
+
+4. Verify the binary from step 3
+
+% mono chktrust.exe test.exe
+
+Mono CheckTrust - version 1.1.15.0
+Verify if an PE executable has a valid Authenticode(tm) signature
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+WARNING! test.exe is not timestamped!
+SUCCESS: test.exe signature is valid
+and can be traced back to a trusted root!
+
+ note the warning about the missing timestamp
+
+5. Verify the binary from step 3 using MS tools [1]
+
+a. Using Windows Explorer, right click on the test.exe file and select
+the "Properties" menu item;
+b. From the "test.exe Properties" windows select the "Digital
+Signatures" tab;
+c. You should see "careful tester" as the "Name of signer", select it
+and click on the "Details" button;
+d. Unless you have created your test certificate with MS tools you
+should see an error (white X on a red circle) with a description
+saying "The certificate in the signature cannot be verified.";
+e. You should NT see any countersignature;
+
+6. Add a timestamp the binary from step 3
+
+% mono signcode.exe -x -t test.exe
+
+Mono SignCode - version 1.1.15.0
+Sign assemblies and PE files using Authenticode(tm).
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+Success
+
+7. Verify the binary from step 6
+
+% mono chktrust.exe test.exe
+
+Mono CheckTrust - version 1.1.15.0
+Verify if an PE executable has a valid Authenticode(tm) signature
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+SUCCESS: test.exe signature is valid
+and can be traced back to a trusted root!
+
+ note that there is N warning this time
+
+8. Verify the binary from step 6 on Windows [1]
+
+a. Follow step 5 from 'a' to 'd'
+b. This time you should see a countersignature;
+
+9. Sign a PE binary with a timestamp
+
+% mono signcode.exe -v test.pvk -spc test.spc -t test.exe
+
+Mono SignCode - version 1.1.15.0
+Sign assemblies and PE files using Authenticode(tm).
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+Success
+
+10. Verify the binary from step 9
+
+% mono chktrust.exe test.exe
+
+Mono CheckTrust - version 1.1.15.0
+Verify if an PE executable has a valid Authenticode(tm) signature
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+SUCCESS: test.exe signature is valid
+and can be traced back to a trusted root!
+
+11. Verify the binary from step 9 on Windows [1]
+
+a. Follow step 5 from 'a' to 'd'
+b. This time you should see a countersignature;
+
+12. Add (another) timestamp the binary from step 9
+
+% mono signcode.exe -x -t test.exe
+
+Mono SignCode - version 1.1.15.0
+Sign assemblies and PE files using Authenticode(tm).
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+Success
+
+13. Verify the binary from step 12
+
+Mono CheckTrust - version 1.1.15.0
+Verify if an PE executable has a valid Authenticode(tm) signature
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
+
+SUCCESS: test.exe signature is valid
+and can be traced back to a trusted root!
+
+14. Verify the binary from step 12 on Windows [1]
+
+a. Follow step 5 from 'a' to 'd'
+b. This time you should see TW (2) countersignature, the same one as
+step 11 and a new one;
+
+15. Clean up
+
+% rm test.*
+% mono setreg.exe 1 FALSE
+
+
+[1] this step must be done on Windows using MS Authenticode(r) tools.
+
+sebastien (AT) ximian (DOT) com
Modified:
2006-06-14 15:28:24 UTC (rev 61699)
2006-06-14 15:29:00 UTC (rev 61700)
@@ -5,7 +5,7 @@
//Sebastien Pouliot <sebastien (AT) ximian (DOT) com>
//
// (C) 2003 Motus Technologies Inc. (http://www.motus.com)
-// (C) 2004 Novell (http://www.novell.com)
+// Copyright (C) 2004,2006 Novell, Inc (http://www.novell.com)
//
using System;
@@ -106,7 +106,7 @@
CspParameters csp = new CspParameters ();
string pvkFilename = null;
string spcFilename = null;
-int timestampRetry = 0;
+int timestampRetry = 1;
int timestampDelay = 0;
bool sign = true;
@@ -116,7 +116,7 @@
AuthenticodeFormatter af = new AuthenticodeFormatter ();
int i = 0;
-while (i < args.Length) {
+while (i < args.Length - 1) {
switch (args[i++]) {
case "-spc":
spcFilename = args [i++];
@@ -204,6 +204,10 @@
case "-jp":
Console.WriteLine ("Unsupported option {0}", args[i-1]);
return 1;
+// other options
+case "-?":
+Help ();
+return 0;
}
}
@@ -227,24 +231,33 @@
Console.WriteLine ("No certificates available to sign the assembly.");
return 1;
}
-af.Certificates.AddRange (certs);
-
-af.Sign (tbsFilename);
-}
-/* TD
-if (af.TimestampURL != null) {
-for (int j=0; j < timestampRetry + 1; j++) {
-if (!af.Timestamp (tbsFilename)) {
-Thread.Sleep (timestampDelay);
-continue;
-}
-break;
-}
-}*/
-// temp
-if ((timestampRetry 0) || (timestampDelay 0)) {
-Console.WriteLine ("Timestamp retries and delays aren't implemented.");
-}
+af.Certificates.AddRange (certs);
+
+if (!af.Sign (tbsFilename)) {
+Console.WriteLine ("Couldn't sign file '{0}'.", tbsFilename);
+return 1;
+}
+} else if (af.TimestampUrl != null) {
+bool ts = false;
+// only timestamp an already signed file
+for (int j = 0; j < timestampRetry && !ts; j++) {
+ts = af.Timestamp (tbsFilename);
+// wait (unless it's the last try) and retry
+if (!ts && (j < timestampRetry - 1)) {
+Console.WriteLine ("Couldn't timestamp file '{0}', will retry in {1} ms", tbsFilename, timestampDelay);
+Thread.Sleep (timestampDelay);
+}
+}
+if (!ts) {
+Console.WriteLine ("Couldn't timestamp file '{0}' after {1} retries.", tbsFilename, timestampRetry);
+return 1;
+}
+} else {
+Help ();
+return 1;
+}
+
+Console.WriteLine ("Success");
return 0;
}
}
Mono-patches maillist - Mono-patches (AT) lists (DOT) ximian.com